From 3e41893507b563c15b8d46a4717d2b7e92622502 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 14 Nov 2012 11:37:55 +0000 Subject: VCPU/timers: Prevent overflow in calculations, leading to DoS vulnerability The timer action for a vcpu periodic timer is to calculate the next expiry time, and to reinsert itself into the timer queue. If the deadline ends up in the past, Xen never leaves __do_softirq(). The affected PCPU will stay in an infinite loop until Xen is killed by the watchdog (if enabled). This is a security problem, XSA-20 / CVE-2012-4535. Signed-off-by: Andrew Cooper Acked-by: Ian Campbell Committed-by: Ian Jackson xen-unstable changeset: 26148:bf58b94b3cef Backport-requested-by: security@xen.org Committed-by: Ian Jackson --- xen/common/domain.c | 3 +++ xen/include/xen/time.h | 2 ++ 2 files changed, 5 insertions(+) diff --git a/xen/common/domain.c b/xen/common/domain.c index ab41187d79..ef3d6f8db3 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -823,6 +823,9 @@ long do_vcpu_op(int cmd, int vcpuid, XEN_GUEST_HANDLE(void) arg) if ( set.period_ns < MILLISECS(1) ) return -EINVAL; + if ( set.period_ns > STIME_DELTA_MAX ) + return -EINVAL; + v->periodic_period = set.period_ns; vcpu_force_reschedule(v); diff --git a/xen/include/xen/time.h b/xen/include/xen/time.h index 38ead92755..7f29ed1d58 100644 --- a/xen/include/xen/time.h +++ b/xen/include/xen/time.h @@ -52,6 +52,8 @@ struct tm gmtime(unsigned long t); #define MILLISECS(_ms) ((s_time_t)((_ms) * 1000000ULL)) #define MICROSECS(_us) ((s_time_t)((_us) * 1000ULL)) #define STIME_MAX ((s_time_t)((uint64_t)~0ull>>1)) +/* Chosen so (NOW() + delta) wont overflow without an uptime of 200 years */ +#define STIME_DELTA_MAX ((s_time_t)((uint64_t)~0ull>>2)) extern void update_vcpu_system_time(struct vcpu *v); extern void update_domain_wallclock_time(struct domain *d); -- cgit v1.2.3